User provisioning for IBM Connections Cloud – You have the choice

Customers who use IBM Cloud for Connections, Sametime or other applications face the problem to manage their cloud accounts. For some single users you can use the Web frontend to add or change user accounts or to assign subscriptions and licenses to users. But in real world scenarios it is not possible to manage thousands of users manually or to keep them synchronized with an on-prem user repository or LDAP.

This can be handled smarter.

There is an API for this – of course. In fact there are at least two of them:

In one of our last projects we had to learn that both of them have advantages and disadvantages:

IBM Integration Server

Customers can request IBM to enable this feature. Then they are allowed to upload user information over ftp or http. The IBM integration server then processes these files in batch mode and provides result files which can be downloaded to check if everything was processed correctly.

The csv file format is quite simple and straight forward. A file can look like this:

This is really simple and good especially for one time provisioning users.

But it has some crucial limitations you should be aware of:

The csv files are limited to 200 lines, so you have to split it up, if you have more users.

The processing is delayed, depending on the server load

The batch processing approach doesn’t fit to handle more complex scenarios e.g if you try to create a user that already exists or try to assign more than the allowed number of users to a license.

There are operations which are not supported for example if you want to assign users to applications without forcing each of them to accept a TOC.

There are solutions which utilize this approach.

In our case we had the additional challenge to sync IBM Cloud users periodically from a local LDAP.

IBM Business Support System API (or BSS)

… matches these requirements. This REST based API deals with JSON objects. It is really powerful and provides a wide range of actions managing user accounts and licenses. Also it is very easy to use. To read all users, whos email start with “julius”, you can simply use this one line of code:

This API can easily be used with any programming language. In our case we used python language to implement a user sync process from the customers LDAP and to provide additional maintenance functions as well. This script is triggered periodically to keep Cloud users in sync with customer LDAP.

In this project the use of BSS API and a powerful script language was the key to solve the requirements with minimal efforts and costs.

If you plan to use IBM Connections in the cloud you should be aware of a limitation which is really hard to accept! The BSS API updates the users in the internal BSS cloud database that handles access and licenses. But only basic information such as DisplayName and JobTitle are updated in the users Connection profile which is visible for normal users. All other profiles fields are intended to be managed by the user themselves in their profile.

Also the IBM Connections profiles-admin API which would be an approach in an on-prem environment is disabled by the IBM Cloud team. At the moment the only way to update Connections profiles is to use the Integration Server. Not really convenient!

Currently we ask ourselves if a mixture of both APIs would be the best and somehow only way to solve this problem. But we are not happy with this. We`ll keep you updated once we found a smarter way.

Hi Julius, I wanted to let you know that one of your limitation descriptions is not entirely correct: ‘ But only basic information such as DisplayName and JobTitle are updated in the users Connection profile which is visible for normal users. All other profiles fields are intended to be managed by the user themselves in their profile.’ You are right in the sense that the API cannot do this, but also keep in mind that the Integration Server cán! So we have created automation procedures to feed data into fields like: description, experience, telephoneNumber, mobileNumber, faxNumber, phone1, phone2, phone3, address1, address2, address3, address4, item1, item2, item3, item4, item5, item6, item7, item8, item9, item10. Where the Item fields are custom fields that the customer can define himself. So, let us say that you provision users via the API first and a second later you submit a csv with any of the fields above coming from for example an HR system. Then within 30 minutes the account has all the data, fully automated, preventing the user from entering his phone number or something. This works for many customers. I do agree that an API approach might be better here, but it is not the end of the world.

“Also the IBM Connections profiles-admin API which would be an approach in an on-prem environment is disabled by the IBM Cloud team. At the moment the only way to update Connections profiles is to use the Integration Server. Not really convenient!”

So yes, you can update this information using Integration Server. But a mixture of API and Integration Server is not really the best option in my opinion.
It is not the end of the world… true – but it would be better if IBM provides a way to do this via API.
Integration Server limitations are also not really convientent if you use an automated way to sync users.